Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login
    Introducing Netgate Nexus: Multi-Instance Management at Your Fingertips.

    HA sync overwrites certificates on backup router even if unchecked

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    4 Posts 2 Posters 182 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • SteveITSS Offline
      SteveITS Rebel Alliance
      last edited by SteveITS

      I set up ACME/LE certs on our two data center routers yesterday. Twice since then I have noticed the cert is missing on the backup router, even though I disabled sync of certificates:
      0be69b2e-b131-4495-8378-b1f885b8ec5e-image.png

      I'm assuming that is not expected? The backup router web server is left running with a live cert, but the web server cert dropdown is set to "IKEv2 server," the first cert it has in its list. So presumably would break upon restart. The CAs are overwritten and the router1 cert is on router2 as well so they all sync'd.

      If expected, what is the solution, to use a wildcard cert? That's what we previously had, so had been syncing certs on purpose.

      These routers are still on 25.07, though I don't see anything in later release notes about this.

      To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
      Only install packages for your version of pfSense.
      Upvote 👍 helpful posts!

      SteveITSS 1 Reply Last reply Reply Quote 0
      • SteveITSS Offline
        SteveITS Rebel Alliance @SteveITS
        last edited by

        If I read a bit further in the list I get to "OpenVPN configuration (Implies CA/Cert/CRL Sync)". We don't use that anymore so I suppose can uncheck that. 🤕

        To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
        Only install packages for your version of pfSense.
        Upvote 👍 helpful posts!

        DerelictD 1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate @SteveITS
          last edited by

          @SteveITS I use acme to obtain a certificate with three hostnames, fw-xyz.domain.com (CARP VIP), fw-a-xyz.domain.com (Primary), and fw-b-xyz.domain.com (Secondary). This runs on the primary and syncs to the secondary. Works great.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          SteveITSS 1 Reply Last reply Reply Quote 1
          • SteveITSS Offline
            SteveITS Rebel Alliance @Derelict
            last edited by

            @Derelict Yeah, that’d be the other option and basically what we did with the wildcard cert. Might be cleaner to let the certs sync. It just surprised me to carefully test it all on r2, set up one cert on r1, and everything disappeared on r2.

            We were using the wildcard in a lot of places but are looking to avoid replacing that many cert locations every 47 days going forward… :(

            To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
            Only install packages for your version of pfSense.
            Upvote 👍 helpful posts!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.